Resource Center

CCPA fundamentals (or CCPA 101) : Consumer Rights Under CCPA

Type: BlogTopic: Compliance

CCPA provides consumers with several fundamental rights pertaining to their personal information. Businesses familiar with the data subject rights provided under the GDPR will have little trouble complying with the rights provided under the CCPA. Slight variations exist, but the process flows will be similar.

Consumer rights under the CCPA include:

The right to know what personal information is collected. This right resides under the “transparency” principle of the CCPA and is tied closely to the notice requirements. Consumers have the right to receive clear, transparent information regarding the categories and specific pieces of personal data the business has collected, the purpose of collection and/or sale of the personal data, and the categories of third-parties with whom the data has been disclosed.

The right to know whether their personal information is sold or disclosed and to whom. When consumers make this type of request, organizations must provide the categories of personal data that have been collected, the categories of personal data the organization has sold or disclosed to a third-party, and the categories of third-parties with whom the personal data has been disclosed.

Tip: Through a completed data inventory and data mapping exercise, organizations will easily be able to respond to this type of rights request as they will have already mapped out where data comes from and where data flows to. Businesses that do not yet have a personal data inventory or data map should prioritize mapping any California personal data processed first. The data map must be regularly reviewed to ensure it is continuously updated.

The right to opt-out of the sale of their personal information. The right to opt-out of the sale of personal data encapsulates the importance of giving the consumer more control over their data. Businesses are required to provide consumers with a “clear and conspicuous” link titled “Do Not Sell My Personal Information” on the homepage of their website. This link should direct consumers to a separate page that allows them to opt out of the sale of their personal data.

Tip: To give consumers the most control, organizations should consider offering a granular/layered opt-down with an overall opt-out option. This can be accomplished through a preference center similar to those commonly used for email opt-outs. Once a consumer does exercise this right, organizations must honor the request for a minimum of 12 months before seeking additional permission from the consumer to sell their personal data.

The right to access their personal information. When a consumer exercises this right, organizations must provide the consumer with a copy of their personal data that is processed free of charge. The CCPA allows for this information to be provided via mail or electronically. If provided electronically, the information should be provided in a portable format that allows the consumer to transfer the data to another entity. Due to the potentially sensitive information that might be included in a right to access request, we recommend that organizations develop a secure portal to allow access to this information for a limited timeframe.

The right to request the deletion of their personal information. When consumers exercise this right, organizations must delete all personal data it has on the consumer within the required 45-day (with an additional 45-day extension available) timeframe. Further, the organization must notify any third-party providers to delete the consumer’s personal data as well. All requests for deletion should be carefully reviewed by the legal team as the CCPA provides for various caveats to the requirement to honor this right, such as when the organization is required to maintain the data to comply with a legal obligation or to complete a transaction with the consumer.

Tip: The data inventory and data mapping exercise will allow for organizations to easily identify all systems that process the consumer’s personal data to ensure the right is fully honored and/or determine to which data this right applies.

The right to equal service and price, regardless if they exercise their privacy rights. Organizations are prohibited from discriminating against consumers because they have exercised any of the rights listed above. Specifically, organizations cannot deny goods or services to the consumer, charge different prices for goods or services, impose penalties, provide a different level of quality of goods or services, or suggest that the consumers will receive a different price for the goods or services. However, the CCPA does provide the ability to offer different levels of goods/services if they are equitable to the value lost by not being capable of monetizing the consumer’s data. It is yet to be seen how organizations will approach this and how regulators will enforce this gray area of the regulation.

Prior to honoring a request, organizations must make reasonable efforts to authenticate consumers to ensure the request is valid. This could occur through verifying a customer ID number or using email verification, among other methods.

Businesses have 45 days to respond to consumer rights requests. If reasonably necessary, businesses can extend this timeframe by an additional 45 days but must notify the consumer of the extension within the initial 45-day period. Clarification has not yet been provided regarding when it would be “reasonably necessary” to request the extension. Due to the strict timeframe to review and respond to these rights requests, organizations should have a centralized source for all requests to flow to for review. Records should be retained indicating the day the request was received and the due date for response.

Tip: It is recommended organizations develop templated responses for each type of request to allow for easier and consistent responses. As with most compliance related issues, it will be up to the business to demonstrate that it responded to the request within the allotted timeframe. Therefore, records should be retained documenting the actions taken on the request (i.e., honored the request, denied the request due to an exemption, or requested an extension).

As previously mentioned, a completed data inventory and data mapping exercise will greatly reduce the burden on businesses in the event they receive a rights request. This exercise should document all California personal data collected both directly and indirectly from California residents. Therefore, all business units should be included in the data mapping exercise, including Human Resources, Legal, Business Intelligence, Customer Support, Marketing, Website, Sales, Information Technology, and Information Security. A data mapping exercise will allow businesses to document why personal data is processed and how the data is processed lawfully. As such, the data map will also allow businesses to determine when the various rights apply and must be honored.

This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.

Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College. www.compliancepoint.com